Mailiserver

Allikas: Kuutõrvaja
                                        Roheline.jpg Toores. Ehk seda pala võib täiendada.
Mailserver
Sissejuhatus

Vastukaaluks ühele naljakale artiklile äripäevas ( http://209.85.135.104/search?q=cache:HtdTW-LZ1_IJ:www.aripaev.ee/3693/rubr_artiklid_369301.html&hl=et&strip=1 ) kirjutaks Postfixist.

Jupike tollest artiklist:

"Exchange 2000 on teatavasti mahupiirangutega. 16 gigabaiti kõikide kasutajate e-posti jaoks, arvestades büroo kasvu, on liiga vähe. Olen täheldanud ka seda, et kirjavahetuse maht kasvab pidevalt," selgitas Linros peamist ülemineku põhjust. Töötajaid on firmas koos notaritega 50, kõik kasutavad Microsofti Exchange'i ja selle klientprogrammi Outlook. Exchange 2007 mahupiirang on palju kordi suurem ja Linrosi arvates ei ole sellega mingit muret ette näha üsna pikaks ajaks. ... Notaribüroo lahenduse teostamisel kasutati Delli server-riistvara, kogumaksumuseks kujunes 250 000 krooni. DELL PowerEdge 2950 Serveri võimsuse näitajad protsessor: Dual Core IntelV XeonV 5120, 4 MB vahemälu, 1.86 GHz, 1066 MHz FSB mälu: 8 GB FB 667 MHz FBD muu: kõvakettad dubleeritud toide kaughalduskaart Miks valiti just selline riistvara? 50 kasutaja puhul peab olema Exchange serveris igal juhul 8 GB mälu. Riistvara ja Windowsi server peavad olema 64bitised. Kaughalduskaart sai lisatud selleks, et serveri kaughaldust oleks võimalik turvaliselt läbi VPNi teostada väljastpoolt. Vertase Back-up varundustarkvara sai uuendatud - vanem versioon Exchange 2007t ei toetanud. Microsofti tarkvara MS Windows Server Std 2003 R2a 64bit ENG - 2 tk MS Exchange Server 2007 English OLP NL - 1 tk Windows Med Biz Infra CAL English OLP NL Promo User CAL. (Sisaldab nii Windowsi kui ka Exchange serveri CALe, Microsofti Promo kehtis kuni 29.06.07) - 50 tk

Tarkvara valik
 * OS'na läheb kasutusse [[1]]
 * Maili võtab vastu [[2]]
 * Postfixis teeb greylisti [[3]]
 * Spami & Viirusi kontrollib amavis koos [[4]] & [[5]] abiga.
 * Kasutajatele serveerib maili [[6]] 
 * Kasutajate andmeid hoiab [[7]]
 * Veebist saavad kasutajad oma maili lugeda läbi [[8]] ja kontosi hallata läbi [[9]]
 * Mailingliste haldab [[10]]

Installeerimine

FreeBSD paigaldust ma siinkohal kirjeldama ei hakka ning eeldan, et portsid on paigas & hilja aegu uudendatud.

Postfix

Esmalt tuleks paigaldata Postfix 'i server, mis maili vastu võtaks - ilma selleta ei ole pikemas perspektiivis mailiserveril erilist mõtet.


cd /usr/ports/mail/postfix
make install clean


Installeerimise ajal valitud optionid ( mida saab copy-pasteda sinna samasse faili ):

cat /var/db/ports/postfix/options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for postfix-2.4.5,1
_OPTIONS_READ=postfix-2.4.5,1
WITH_PCRE=true
WITH_SASL2=true
WITHOUT_DOVECOT=true
WITHOUT_SASLKRB=true
WITHOUT_SASLKRB5=true
WITHOUT_SASLKMIT=true
WITH_TLS=true
WITHOUT_BDB=true
WITHOUT_MYSQL=true
WITH_PGSQL=true
WITHOUT_OPENLDAP=true
WITH_CDB=true
WITHOUT_NIS=true
WITH_VDA=true
WITHOUT_TEST=true

Oluline on siin see, et tagatud oleks SASL2,TLS,PGSQL ja VDA tugi.

 * SASL2 läbi saab teostada SMTP-AUTH'i, millekäigus kontrollitakse saatja logib ennem kirja saatmist sisse - vältimaks suvaliste spämmerite omavolilist kasutamist.
 * TLS on krüpteerimis protkoll, mis kaitseb kasutaja andmeid SMTP-AUTH protokolliga sisselogimisel.
 * PGSQL on PostgreSQL serveri tugi, leidmaks domeene ja nende alla kuuluvaid kasutajaid kellele sissetulev mail läheb.
 * VDA Toimetab mailid ilusti kohale.

Cyrus-SASL

Kui cyrus-sasl2 porti veel peal ei ole, siis paigaldatakse see postfixi installeerimise käigus.

Optionid:

cat /var/db/ports/cyrus-sasl2/options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for cyrus-sasl-2.1.22
_OPTIONS_READ=cyrus-sasl-2.1.22
WITH_BDB=true
WITHOUT_MYSQL=true
WITHOUT_PGSQL=true
WITHOUT_SQLITE=true
WITH_DEV_URANDOM=true
WITHOUT_ALWAYSTRUE=true
WITH_KEEP_DB_OPEN=true
WITH_AUTHDAEMOND=true
WITH_LOGIN=true
WITH_PLAIN=true
WITH_CRAM=true
WITH_DIGEST=true
WITH_OTP=true
WITH_NTLM=true

Valida tuleks kindlasti AUTHDAEMOND ja sobivad login meetodid SMTP-AUTH/IMAP tarbeks, nagu LOGIN,PLAIN,CRAM..

Et postfix pääseks andmebaasis hoitavatele kasutajatele ligi on vaja ka courier-authlib'i, läbi mille kontrollitakse kasutajate olemasolu SMTP-AUTH protokollis, mis omakorda kasutab cyrus-sasl2'te, mis kasutab selleks courier-authlib'i ..oeh ;-)

courier-authlib

cd /usr/ports/security/courier-authlib
make install clean

Optionid:

# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for courier-authlib-0.59.3
_OPTIONS_READ=courier-authlib-0.59.3
WITHOUT_GDBM=true
WITHOUT_AUTH_LDAP=true
WITHOUT_AUTH_MYSQL=true
WITH_AUTH_PGSQL=true
WITHOUT_AUTH_USERDB=true
WITHOUT_AUTH_VCHKPW=true

postfix-gps

cd /usr/ports/mail/postfix-gps
make install clean

amavis

cd /usr/ports/security/amavisd-new
make install clean

Optionid:

cat /var/db/ports/amavisd-new/options 
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for amavisd-new-2.5.4,1
_OPTIONS_READ=amavisd-new-2.5.4,1
WITH_BDB=true
WITHOUT_SQLITE=true
WITHOUT_MYSQL=true
WITH_PGSQL=true
WITHOUT_LDAP=true
WITH_SASL=true
WITHOUT_MILTER=true
WITH_SPAMASSASSIN=true
WITHOUT_P0F=true
WITH_ALTERMIME=true
WITH_FILE=true
WITH_RAR=true
WITH_UNRAR=true
WITH_ARJ=true
WITHOUT_UNARJ=true
WITH_LHA=true
WITH_ARC=true
WITHOUT_NOMARCH=true
WITH_CAB=true
WITH_RPM=true
WITH_ZOO=true
WITHOUT_UNZOO=true
WITH_LZOP=true
WITH_FREEZE=true
WITH_P7ZIP=true
WITHOUT_TNEF=true

Amavise installeerimise käigus paigaldatakse ka SpamAsassin:

Optionid:

cat /var/db/ports/p5-Mail-SpamAssassin/options 
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for p5-Mail-SpamAssassin-3.2.4_2
_OPTIONS_READ=p5-Mail-SpamAssassin-3.2.4_2
WITHOUT_AS_ROOT=true
WITHOUT_SPAMC=true
WITH_SACOMPILE=true
WITHOUT_DKIM=true
WITH_SSL=true
WITH_GNUPG=true
WITHOUT_MYSQL=true
WITH_PGSQL=true
WITH_RAZOR=true
WITH_SPF_QUERY=true
WITH_RELAY_COUNTRY=true

ClamAV

cd /usr/ports/security/clamav
make install clean

Optionid:

cat /var/db/ports/clamav/options               
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for clamav-0.92.1_1
_OPTIONS_READ=clamav-0.92.1_1
WITH_ARC=true
WITH_ARJ=true
WITH_LHA=true
WITH_UNZOO=true
WITH_UNRAR=true
WITHOUT_MILTER=true
WITHOUT_LDAP=true
WITHOUT_ICONV=true
WITHOUT_STDERR=true
WITH_EXPERIMENTAL=true

Courier-IMAP

Kui mail on vastu võetud, siis oleks ju tore ka sellele kuidagi ligi pääseda mõne meili kliendiga. Courier-IMAP pakub seda võimalust nii läbi POP3 kui ka IMAP protokollide, lugedes andmeid Maildir formaadis kataloogidest.

cd /usr/ports/mail/courier-imap
make install clean

Optionid:

cat /var/db/ports/courier-imap/option
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for courier-imap-4.1.3,1
_OPTIONS_READ=courier-imap-4.1.3,1
WITH_OPENSSL=true
WITHOUT_FAM=true
WITHOUT_DRAC=true
WITH_TRASHQUOTA=true
WITHOUT_GDBM=true
WITH_IPV6=true
WITHOUT_AUTH_LDAP=true
WITHOUT_AUTH_MYSQL=true
WITH_AUTH_PGSQL=true
WITHOUT_AUTH_USERDB=true
WITHOUT_AUTH_VCHKPW=true


PostgreSQL

Kasutajate andmeid on andmebaasis tore hoida sellepärast, et see on veel üks tükike selles maili puzzles mis lubab tulevikus mugavamalt skaleeruda.

cd /usr/ports/database/postgresql83 make install clean

Optionid:

cat /var/db/ports/postgresql83/options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for postgresql-server-8.3.1
_OPTIONS_READ=postgresql-server-8.3.1
WITH_NLS=true
WITHOUT_PAM=true
WITHOUT_LDAP=true
WITHOUT_MIT_KRB5=true
WITHOUT_HEIMDAL_KRB5=true
WITH_OPTIMIZED_CFLAGS=true
WITH_XML=true
WITH_TZDATA=true
WITHOUT_DEBUG=true
WITHOUT_ICU=true
WITH_INTDATE=true

Mailman

Vähegi suurema asutuse/organisatsiooni korral tekib ka vajadus maililistide järgi, kus saaks mugavalt infot levitada. Selleks on täitsa sobilik kasutada Mailmani.

cd /usr/ports/mail/mailman
make install clean

Optionid:

cat /var/db/ports/mailman/options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for mailman-with-htdig-2.1.9_5
_OPTIONS_READ=mailman-with-htdig-2.1.9_5
WITHOUT_SENDMAIL=true
WITHOUT_EXIM3=true
WITHOUT_EXIM4=true
WITH_POSTFIX=true
WITHOUT_COURIER=true
WITHOUT_CHINESE=true
WITHOUT_SLOVAK=true
WITH_HTDIG=true

Veeb

Lisaks sellele, et kasutaja pääseb oma mailile ligi läbi tema isiklikus arvutis olema maili kliendi ( Windowsi peal soovitaks The Bat! 'i ja *NIX peal Evolutioni ) on vajalik siiski ka veebist ligi pääseda - näiteks reisides ja kohvikutes viibides.

Jätan siinkohal ära apache/php paigaldamise õpetuse, kuna natukene pealehakkamist oleks lisaks eelnevalt tehtud copy-pastele hädasti vaja :-) Vajalik tarkvara on juba üleval pool kirjeldatud, portsides olemas ning tuleb koos täiesti ammendava dokumenatsiooniga.

NB! Postfixadminile tuleb paigaldada üks lisa patch: http://troels.arvin.dk/db/postfixadmin/

Seadistamine

Nüüdseks peaks hulka tarkvara juba peal olema, ning oleks vaja see ka töökorda seada. Teeme seda samas järjekorras.

Postfix

Vajalikud failid asuvad /usr/local/etc/postfix all.. seega:

cd /usr/local/etc/postfix

Kõige olulisem on siin main.cf, mis kontrollib smtpd & sõprade käitumist:

/usr/local/etc/postfix/main.cf:

queue_directory = /var/spool/postfix
command_directory = /usr/local/sbin
daemon_directory = /usr/local/libexec/postfix
mail_owner = postfix
myhostname = mail.domeen.ee
local_recipient_maps = $virtual_mailbox_maps
unknown_local_recipient_reject_code = 550
mynetworks_style = host
relay_domains = proxy:pgsql:/usr/local/etc/postfix/pgsql/relay_domains.cf, list.domeen.ee
virtual_alias_maps = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_alias_maps.cf
virtual_mailbox_domains = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_domains_maps.cf
virtual_mailbox_maps = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_mailbox_maps.cf
virtual_mailbox_limit_maps = pgsql:/usr/local/etc/postfix/pgsql/virtual_mailbox_limits.cf
virtual_maildir_extended = yes
virtual_create_maildirsize = yes
virtual_mailbox_limit_inbox = yes
virtual_mailbox_limit_override = yes
virtual_mailbox_base = /var/maildata
virtual_mailbox_limit = 51200000
virtual_minimum_uid = 465
virtual_transport = virtual
virtual_uid_maps = static:465
virtual_gid_maps = static:465
local_transport = virtual
transport_maps = hash:/usr/local/etc/postfix/transport
mailman_destination_recipient_limit = 1
alias_maps = hash:/usr/local/mailman/data/aliases
smtpd_banner = MAIL - ESMTP $mail_name
debug_peer_level = 1
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/local/sbin/sendmail
newaliases_path = /usr/local/bin/newaliases
mailq_path = /usr/local/bin/mailq
setgid_group = maildrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /usr/local/etc/postfix
readme_directory = no

# anti-spam
content_filter=amavis:[127.0.0.1]:65024
disable_vrfy_command = yes
maximal_queue_lifetime = 7d
smtp_helo_timeout = 30s
smtp_mail_timeout = 60s
smtp_rcpt_timeout = 60s
smtpd_client_connection_count_limit = 100
smtpd_client_connection_rate_limit = 3000
smtpd_client_message_rate_limit = 1000
smtpd_client_recipient_rate_limit = 120
smtpd_client_restrictions = permit_inet_interfaces, reject_unknown_client_hostname, sleep 3,  reject_rbl_client sbl-xbl.spamhaus.org
smtpd_error_sleep_time = 3
smtpd_helo_required = yes
smtpd_helo_restrictions = warn_if_reject reject_invalid_helo_hostname, sleep 3, warn_if_reject  reject_unknown_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, permit_auth_destination,  permit_sasl_authenticated, sleep 5, reject_non_fqdn_recipient, reject_unauth_destination,  reject_unknown_recipient_domain
smtpd_sender_restrictions = check_policy_service unix:private/policy
strict_rfc821_envelopes = yes
strict_7bit_headers = YES
smtpd_delay_reject = yes

# smtp-auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /usr/local/etc/postfix/server.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/server.pem
smtpd_tls_CAfile = /usr/local/etc/postfix/server.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

data_directory = /var/db/postfix

/usr/local/etc/postfix/master.cf 'i l6pus:

mailman   unix  -       n       n       -       -       pipe
  flags=FR user=mailman argv=/usr/local/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
policy  unix    -       n       n       -       -       spawn
        user=nobody     argv=/usr/local/libexec/gps /usr/local/etc/gps.conf
amavis  unix    -       -       n       -       2       smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o max_use=20
127.0.0.1:65025 inet n    -       n       -       -     smtpd
     -o content_filter=
     -o smtpd_delay_reject=no
     -o smtpd_client_restrictions=permit_mynetworks,reject
     -o smtpd_helo_restrictions=
     -o smtpd_sender_restrictions=
     -o smtpd_recipient_restrictions=permit_mynetworks,reject
     -o smtpd_data_restrictions=reject_unauth_pipelining
     -o smtpd_end_of_data_restrictions=
     -o smtpd_restriction_classes=
     -o mynetworks=10.0.0.1,127.0.0.1
     -o smtpd_error_sleep_time=0
     -o smtpd_soft_error_limit=1001
     -o smtpd_hard_error_limit=1000
     -o smtpd_client_connection_count_limit=0
     -o smtpd_client_connection_rate_limit=0
     -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
     -o local_header_rewrite_clients=
proxywrite unix -       -       n       -       1       proxymap

Ja veel /usr/local/etc/postfix/transport failis:

list.domeen.ee     mailman:

See file tuleb postmap'ga pärast üle käia, niiviisi:

postmap /usr/local/etc/postfix/transport


Ei ole plaaniski kirjeldama hakata mida kõik need optionid tähendavad, kuna postfixi enda dokumentatsioon on selleks piisav.

Olulisemad seaded:

local_recipient_maps = $virtual_mailbox_maps
relay_domains = proxy:pgsql:/usr/local/etc/postfix/pgsql/relay_domains.cf, list.domeen.ee
virtual_alias_maps = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_alias_maps.cf
virtual_mailbox_domains = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_domains_maps.cf
virtual_mailbox_maps = proxy:pgsql:/usr/local/etc/postfix/pgsql/virtual_mailbox_maps.cf
virtual_mailbox_base = /var/maildata
virtual_mailbox_limit = 51200000
virtual_minimum_uid = 465
virtual_transport = virtual
virtual_uid_maps = static:465
virtual_gid_maps = static:465
local_transport = virtual

Ilma nende seadeteta ei tea postfix midagi andmebaasis olevatest kasutajatest ega kuidas mail nendeni jõudma peaks.

local_recipient_maps seatakse samaks mis virtual_mailbox_maps

relay_domains on SQL p2ring domeenidele, millele osutatakse MX backup teenust. Lisaks veel list.domeen.ee - ehk's listiserver.

virtual_alias_maps on SQL p2ring maili aliastele, millele v6ib maili vastu v6tta

virtual_mailbox_domains .. p2ring domeenidele, millele v6ib maili vastu v6tta

virtual_mailbox_maps p2ring mailiboxidele ( kus asub, mis 6igused jne.. ) maili kohale toimetamiseks

virtual_mailbox_base FS path mille all mailboxid asuvad ( lisatakse virtual_mailbox_maps 'st saadud info ette )

virtual_uid_maps = static:465

                                ... nii uid kui ka gid k6ikidel mailboxidel on 465

virtual_gid_maps = static:465


Viidatud failid ( asuvad /usr/local/etc/postfix/pgsql all - kataloog mida freebsd installis by default ei ole, so mkdir v6i vaheta optionites pathi kui sa nad mujale paned ) mida postgresql'ga suhtlemisel SQL p2ringute tegemiseks kasutatakse:

cat pgsql/relay_domains.cf
user = postfix
password = pass
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = true
cat pgsql/virtual_alias_maps.cf
user = postfix
password = pass
hosts = localhost
dbname = postfix
query = SELECT goto FROM alias WHERE address='%s' AND active = true

cat pgsql/virtual_domains_maps.cf
user = postfix
password = pass
hosts = localhost
dbname = postfix
query = SELECT domain FROM domain WHERE domain='%s' and backupmx = false and active = true
cat pgsql/virtual_mailbox_limits.cf
user = postfix
password = pass
hosts = localhost
dbname = postfix
query = SELECT quota FROM mailbox WHERE username='%s'
cat pgsql/virtual_mailbox_maps.cf
user = postfix
password = pass
hosts = localhost
dbname = postfix
query = SELECT maildir FROM mailbox WHERE username='%s' AND active = true

Seejärel peaks tekitama kataloogi /var/maildata ja andma selle courier'i käsutusse

mkdir -p /var/maildata
chown -R courier:courier /var/maildata

Seal all hakkab siis mail olema, nii nagu virtual_mailbox_base option seda ütleb.

Anti-Spam osa soovitaks esialgu välja jätta ning lisada alles pärast seda, kui oled tutvunud vastavate optionite sisuga postfixi dokumentatsioonist. Kui soovid seda aga kasutada, siis oleks sul veel vaja paigaldada postfix-gps-devel port koos postgresql toega.

SMTP-AUTH tarvis oleks vaja tekitada aga serverile sertifikaat TLS'i jaoks:

openssl req -new -x509 -nodes -out server.pem -keyout server.pem -days 3650

cyrus-sasl2

Et SMTP protokoll oskaks courier-authlib'ga rääkida, on vajalik vastav fail /usr/local/lib/sasl2 all

cat /usr/local/lib/sasl2/smtpd.conf
pwcheck_method: authdaemond
log_level: 3
mech_list: PLAIN LOGIN
authdaemond_path: /var/run/authdaemond/socket

courier-authlib

See on see jupp, mis vahendab SMTP-AUTH/IMAP päringuid andmebaasile.

Confid asuvad /usr/local/etc/authlib

cat /usr/local/etc/authlib/authdaemonrc
authmodulelist="authpgsql"
authmodulelistorig="authuserdb authvchkpw authpam authldap authmysql authpgsql"
daemons=3
authdaemonvar=/var/run/authdaemond
subsystem=mail
DEBUG_LOGIN=0
DEFAULTOPTIONS="wbnodsn=1"
LOGGEROPTS=""
cat /usr/local/etc/authlib/authpgsqlrc
PGSQL_PORT              5432
PGSQL_USERNAME          postfix
PGSQL_PASSWORD          pass
PGSQL_DATABASE          postfix
PGSQL_USER_TABLE        mailbox
PGSQL_CRYPT_PWFIELD     password
PGSQL_UID_FIELD         '465'
PGSQL_GID_FIELD         '465'
PGSQL_LOGIN_FIELD       username
PGSQL_HOME_FIELD        '/var/maildata'
PGSQL_NAME_FIELD        name
PGSQL_MAILDIR_FIELD     maildir

Courier-IMAP

Selle confid asuvad /usr/local/etc/courier-imap all

cat /usr/local/etc/courier-imap/imapd
ADDRESS=0
PORT=143
MAXDAEMONS=40
MAXPERIP=4
PIDFILE=/var/run/imapd.pid
TCPDOPTS="-nodnslookup -noidentlookup"
LOGGEROPTS="-name=imapd"
IMAP_CAPABILITY="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE"
IMAP_KEYWORDS=1
IMAP_ACL=1
IMAP_CAPABILITY_ORIG="IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA AUTH=CRAM-MD5 AUTH=CRAM-SHA1 AUTH=CRAM-   SHA256 IDLE"
IMAP_PROXY=0 
IMAP_PROXY_FOREIGN=0
IMAP_IDLE_TIMEOUT=60
IMAP_CAPABILITY_TLS="$IMAP_CAPABILITY AUTH=PLAIN"
IMAP_CAPABILITY_TLS_ORIG="$IMAP_CAPABILITY_ORIG AUTH=PLAIN"
IMAP_DISABLETHREADSORT=0
IMAP_CHECK_ALL_FOLDERS=0
IMAP_OBSOLETE_CLIENT=0
IMAP_UMASK=022
IMAP_ULIMITD=65536
IMAP_USELOCKS=1
IMAP_SHAREDINDEXFILE=/usr/local/etc/courier-imap/shared/index
IMAP_ENHANCEDIDLE=0
IMAP_TRASHFOLDERNAME=Trash
IMAP_EMPTYTRASH=Trash:7
IMAP_MOVE_EXPUNGE_TO_TRASH=0
SENDMAIL=/usr/sbin/sendmail
HEADERFROM=X-IMAP-Sender
IMAPDSTART=NO
MAILDIRPATH=Maildir

cat /usr/local/etc/courier-imap/imapd-ssl
SSLPORT=993
SSLADDRESS=0
SSLPIDFILE=/var/run/imapd-ssl.pid
SSLLOGGEROPTS="-name=imapd-ssl"
IMAPDSSLSTART=YES
IMAPDSTARTTLS=YES
IMAP_TLS_REQUIRED=0
COURIERTLS=/usr/local/bin/couriertls
TLS_PROTOCOL=SSL3
TLS_STARTTLS_PROTOCOL=TLS1
TLS_CERTFILE=/usr/local/share/courier-imap/imapd.pem
TLS_VERIFYPEER=NONE
TLS_CACHEFILE=/usr/local/var/couriersslcache
TLS_CACHESIZE=524288
MAILDIRPATH=Maildir

SSL'i sertifikaadi saad genereerida muutes kopeerides imapd.cnf-dist faili imapd.cnf'x, kohandades siis selle sisu ning seejärel käivitades mkimapdcert käsu.

cd /usr/local/etc/courier-imap
cp imapd.cnf.dist imapd.cnf
ee imapd.cnf
mkimapdcert

POP3'e seadistamine on vägagi sarnane IMAP'le ning sellega saad kindlasti ka ise hakkama.

PostgreSQL

Esmalt on vaja luua uus kasutaja:

CREATE USER postfix WITH PASSWORD 'pass';

Ning seejärel mõned andmebaasid:

CREATE DATABASE postfix OWNER postfix;
CREATE DATABASE postfix_gps OWNER postfix;

Esimeses asuvad domeenid ja kasutajad teises aga postgres-gps greylisti andmed.

Baasi postfix schema ( postfixadminile on paigaldatud postgresql'i jaoks patch @ http://troels.arvin.dk/db/postfixadmin/ ):

CREATE TABLE "admin" (
    username character varying(255) NOT NULL,
    "password" character varying(255) DEFAULT ::character varying NOT NULL,
    created timestamp with time zone DEFAULT now(),
    modified timestamp with time zone DEFAULT now(),
    active boolean DEFAULT true NOT NULL
);
COMMENT ON TABLE "admin" IS 'Postfix Admin - Virtual Admins';
CREATE TABLE alias (
    address character varying(255) NOT NULL,
    goto text NOT NULL,
    "domain" character varying(255) NOT NULL,
    created timestamp with time zone DEFAULT now(),
    modified timestamp with time zone DEFAULT now(),
    active boolean DEFAULT true NOT NULL
);
COMMENT ON TABLE alias IS 'Postfix Admin - Virtual Aliases';
CREATE TABLE "domain" (
    "domain" character varying(255) NOT NULL,
    description character varying(255) DEFAULT ::character varying NOT NULL,
    aliases integer DEFAULT 0 NOT NULL,
    mailboxes integer DEFAULT 0 NOT NULL,
    maxquota integer DEFAULT 0 NOT NULL,
    transport character varying(255),
    backupmx boolean DEFAULT false NOT NULL,
    created timestamp with time zone DEFAULT now(),
    modified timestamp with time zone DEFAULT now(),
    active boolean DEFAULT true NOT NULL
);
COMMENT ON TABLE "domain" IS 'Postfix Admin - Virtual Domains';
CREATE TABLE domain_admins (
    username character varying(255) NOT NULL,
    "domain" character varying(255) NOT NULL,
    created timestamp with time zone DEFAULT now(),
    active boolean DEFAULT true NOT NULL
);
COMMENT ON TABLE domain_admins IS 'Postfix Admin - Domain Admins';
CREATE TABLE log (
    "timestamp" timestamp with time zone DEFAULT now(),
    username character varying(255) DEFAULT ::character varying NOT NULL,
    "domain" character varying(255) DEFAULT ::character varying NOT NULL,
    "action" character varying(255) DEFAULT ::character varying NOT NULL,
    data text DEFAULT ::text NOT NULL
);
COMMENT ON TABLE log IS 'Postfix Admin - Log';
CREATE TABLE mailbox (
    username character varying(255) NOT NULL,
    "password" character varying(255) DEFAULT ::character varying NOT NULL,
    name character varying(255) DEFAULT ::character varying NOT NULL,
    maildir character varying(255) DEFAULT ::character varying NOT NULL,
    quota integer DEFAULT 0 NOT NULL,
    "domain" character varying(255) NOT NULL,
    created timestamp with time zone DEFAULT now(),
    modified timestamp with time zone DEFAULT now(),
    active boolean DEFAULT true NOT NULL
);
COMMENT ON TABLE mailbox IS 'Postfix Admin - Virtual Mailboxes';
CREATE TABLE vacation (
    email character varying(255) NOT NULL,
    subject character varying(255) NOT NULL,
    body text NOT NULL,
    "domain" character varying(255) NOT NULL,
    created timestamp with time zone DEFAULT now(),
    active boolean DEFAULT true NOT NULL
);
CREATE TABLE vacation_notification (
    on_vacation character varying(255) NOT NULL,
    notified character varying(255) NOT NULL,
    notified_at timestamp with time zone DEFAULT now() NOT NULL
);
ALTER TABLE ONLY "admin"
    ADD CONSTRAINT admin_key PRIMARY KEY (username);
ALTER TABLE ONLY alias
    ADD CONSTRAINT alias_key PRIMARY KEY (address);
ALTER TABLE ONLY "domain"
    ADD CONSTRAINT domain_key PRIMARY KEY ("domain");
ALTER TABLE ONLY mailbox
    ADD CONSTRAINT mailbox_key PRIMARY KEY (username);
ALTER TABLE ONLY vacation_notification
    ADD CONSTRAINT vacation_notification_pkey PRIMARY KEY (on_vacation, notified);
ALTER TABLE ONLY vacation
    ADD CONSTRAINT vacation_pkey PRIMARY KEY (email);
CREATE INDEX alias_address_active ON alias USING btree (address, active);
CREATE INDEX domain_domain_active ON "domain" USING btree ("domain", active);
CREATE INDEX mailbox_username_active ON mailbox USING btree (username, active);
CREATE INDEX vacation_email_active ON vacation USING btree (email, active);
ALTER TABLE ONLY alias
    ADD CONSTRAINT alias_domain_fkey FOREIGN KEY ("domain") REFERENCES "domain"("domain");
ALTER TABLE ONLY domain_admins
    ADD CONSTRAINT domain_admins_domain_fkey FOREIGN KEY ("domain") REFERENCES "domain"("domain");
ALTER TABLE ONLY mailbox
    ADD CONSTRAINT mailbox_domain_fkey FOREIGN KEY ("domain") REFERENCES "domain"("domain");
ALTER TABLE ONLY vacation
    ADD CONSTRAINT vacation_domain_fkey FOREIGN KEY ("domain") REFERENCES "domain"("domain");
ALTER TABLE ONLY vacation_notification
    ADD CONSTRAINT vacation_notification_on_vacation_fkey FOREIGN KEY (on_vacation) REFERENCES vacation(email) ON DELETE CASCADE;

Baasi postfix_gps schema:

CREATE TABLE network (
    address character varying(16) DEFAULT ::character varying NOT NULL,
    "comment" character varying(30) DEFAULT ::character varying
);
CREATE TABLE pattern (
    expression character varying(200) DEFAULT ::character varying NOT NULL,
    "comment" character varying(30) DEFAULT ::character varying
);
CREATE TABLE recipient (
    address character varying(200) DEFAULT ::character varying NOT NULL,
    "comment" character varying(30) DEFAULT ::character varying
);
CREATE TABLE triplet (
    client_address character varying(40),
    sender character varying(160) NOT NULL,
    recipient character varying(160) NOT NULL,
    ip64 numeric(4,0) DEFAULT 0 NOT NULL,
    ip32 numeric(4,0) DEFAULT 0 NOT NULL,
    ip16 numeric(4,0) DEFAULT 0 NOT NULL,
    ip8 numeric(4,0) DEFAULT 0 NOT NULL,
    count integer DEFAULT 0 NOT NULL,
    uts integer NOT NULL
);
ALTER TABLE ONLY network
    ADD CONSTRAINT network_pkey PRIMARY KEY (address);
ALTER TABLE ONLY pattern
    ADD CONSTRAINT pattern_pkey PRIMARY KEY (expression);
ALTER TABLE ONLY recipient
    ADD CONSTRAINT recipient_pkey PRIMARY KEY (address);
ALTER TABLE ONLY triplet
    ADD CONSTRAINT triplet_pkey PRIMARY KEY (recipient, sender, ip64, ip32, ip16, ip8);

Eeldan, et postgresql'i seadistusega tuled ise toime - dokumenatsioon on selleks täitsa piisav.

Spam & Viirused

Amavis

amavisd-new teostab nii spam'i kui ka viiruse kontrolli. Eelnevalt postfix'i confis sai ta seadistatud nõndaviisi:

content_filter=amavis:[127.0.0.1]:65024

/usr/local/etc/amavisd.conf 'i olulised read

$max_servers = 2;            # num of pre-forked children (2..15 is common), -m
$daemon_user  = 'vscan';     # (no default;  customary: vscan or amavis), -u
$daemon_group = 'vscan';     # (no default;  customary: vscan or amavis), -g
$mydomain = 'domeen.ee';   # a convenient default for other settings
$inet_socket_port = 65024;   # listen on this local TCP port(s)
$myhostname = 'mail.domeen.ee';  # must be a fully-qualified domain name!
@av_scanners = (

['ClamAV-clamd',
  \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
  qr/\bOK$/, qr/\bFOUND$/,
  qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
);

Siin on siis ära määratud, et amavisd-new kuulab pordil 65024 ja kasutajaks on vscan. Antiviiruse kontrolli teeb ta läbi ClamAV'i, millega ta suhtleb üle unix socketi.. /var/run/clamav/clamd.

ClamAV

/usr/local/etc/clamd.conf:

LogFile /var/log/clamav/clamd.log
LogFileMaxSize 20M
LogTime yes
LogVerbose no
PidFile /var/run/clamav/clamd.pid
DatabaseDirectory /var/db/clamav
LocalSocket /var/run/clamav/clamd
FixStaleSocket yes
MaxConnectionQueueLength 30
StreamMaxLength 50M
MaxThreads 20
User vscan
AllowSupplementaryGroups yes
ExitOnOOM yes
Debug yes
LeaveTemporaryFiles no
ScanMail yes

LocalSocket peab olema sama mis amavisd.conf 's, ehk siis /var/run/clamav/clamd Samuti peab ka kasutajaks olema määratud vscan, muidu ei saa amavisd clamd'ga suhelda kui tal socketisse kirjutamiseks õigusi pole.

/usr/local/etc/freshclamd.conf

DatabaseDirectory /var/db/clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose no
PidFile /var/run/clamav/freshclam.pid
DatabaseOwner vscan
AllowSupplementaryGroups yes
DatabaseMirror database.clamav.net
ScriptedUpdates yes
Checks 24
NotifyClamd /usr/local/etc/clamd.conf

Jällegi, user vscan.

Siinkohal tasuks ära märkida, et esialgu kuuluvad /var/db/clamav ja /var/log/clamav clamav userile.. seega tuleks need vscan userile chownida.


Postfix-GPS ehk Greylist

/usr/local/etc/gps.conf

dbtype=pgsql
db_host=localhost
db_username=postfix
db_password=pass
db_dbname=postfix_gps
timeout=60
wl_pattern=dbcached
wl_network=dbcached
wl_recipient=db

Mailman

Kõik listid hakkavad asuma list.domeen.ee domeeni all ( mis peab ka DNS's reaalselt eksisteerima ). Kuna mailman kuulutab kõik failid oma kodukataloogis /usr/local/mailman mailman kasutajale kuuluvaks, siis tuleb postfix'i kasutaja ka mailman'i gruppi lisada - muidu ei hakka listi aliased kahjuks tööle.

pw groupmod mailman -m postfix

Seejärel tuleks chmod'da /usr/local/mailman/data all asuvad alias failid nii, et mailman'i grupp ( kuhu nüüd postfixi kasutaja kuulub.. ) neid kirjutada saaks.

chmod 660 /usr/local/mailman/data/aliases /usr/local/mailman/data/aliases.db

Mailman'i enda config võib välja näha selline:

MTA = 'Postfix'
SMTPHOST = "localhost"
SMTPPORT = 65025
ALLOW_SITE_ADMIN_COOKIES = Yes
DEFAULT_URL_PATTERN = 'https://%s/mailman/'
PUBLIC_ARCHIVE_URL = 'https://%(hostname)s/pipermail/%(listname)s'
OWNERS_CAN_DELETE_THEIR_OWN_LISTS = Yes

Mailman räägib pordiga 65025 sel põhjusel, et selle pordi pealt viirusekontrolli ei tehta. Viirusekontrolli teostatakse siis, kui kirjad listi tulevad - seega pole neid samu kirju välja saates vaja topelt kontrollida.

Kui kirjad tulevad list.domeen.ee aadresile, siis antakse need postfixi poolt üle /usr/local/mailman/bin/postfix-to-mailman.py scriptile ( vt. postfixi master.cf ja transport faile )

See näeb välja selline:

#!/usr/local/bin/python
# Configuration variables - Change these for your site if necessary.
MailmanHome = "/usr/local/mailman"; # Mailman home directory.
MailmanOwner = "postmaster@domeen.ee"; # Postmaster and abuse mail recipient.
# End of configuration variables.
# postfix-to-mailman-2.1.py (to be installed as postfix-to-mailman.py)
#  
# Interface mailman to a postfix with a mailman transport. Does not require
# the creation of _any_ aliases to connect lists to your mail system.
#
# Dax Kelson, dkelson@gurulabs.com, Sept 2002.
# coverted from qmail to postfix interface
# Jan 2003: Fixes for Mailman 2.1
# Thanks to Simen E. Sandberg <senilix@gallerbyen.net>
# Feb 2003: Change the suggested postfix transport to support VERP
# Thanks to Henrique de Moraes Holschuh <henrique.holschuh@ima.sp.gov.br>
#
# This script was originally qmail-to-mailman.py by:
# Bruce Perens, bruce@perens.com, March 1999.
# This is free software under the GNU General Public License.
#
# This script is meant to be called from ~mailman/postfix-to-mailman.py. 
# It catches all mail to a virtual domain, eg "lists.example.com".
# It looks at the  recipient for each mail message and decides if the mail is
# addressed to a valid list or not, and bounces the message with a helpful
# suggestion if it's not addressed to a list. It decides if it is a posting, 
# a list command, or mail to the list administrator, by checking for the
#  -admin, -owner, and -request addresses. It will recognize a list as soon
# as the list is created, there is no need to add _any_ aliases for any list.
# It recognizes mail to postmaster, mailman-owner, abuse, mailer-daemon, root,
# and owner, and routes those mails to MailmanOwner as defined in the
# configuration variables, above.
#
# INSTALLATION:
#
# Install this file as ~mailman/postfix-to-mailman.py
#
# To configure a virtual domain to connect to mailman, edit Postfix thusly:
#
# /etc/postfix/main.cf:
#    relay_domains = ... lists.example.com
#    transport_maps = hash:/etc/postfix/transport
#    mailman_destination_recipient_limit = 1
#
# /etc/postfix/transport:
#   lists.example.com   mailman:
#
# /etc/postfix/master.cf
#    mailman unix  -       n       n       -       -       pipe
#      flags=FR user=mailman:mailman 
#      argv=/var/mailman/postfix-to-mailman.py ${nexthop} ${user}
# 
#
# Replace list.example.com above with the name of the domain to be connected
# to Mailman. Note that _all_ mail to that domain will go to Mailman, so you
# don't want to put the name of your main domain here. Typically a virtual
# domain lists.domain.com is used for Mailman, and domain.com for regular
# email.
#
import sys, os, re
 
def main():
    os.nice(5)  # Handle mailing lists at non-interactive priority.
                # delete this if you wish

    os.chdir(MailmanHome + "/lists")

    try:
        local = sys.argv[2]
    except:
        # This might happen if we're not using Postfix
        sys.stderr.write("LOCAL not set?\n")
        sys.exit(1)

    local = local.lower()
    local = re.sub("^mailman-","",local)

    names = ("root", "postmaster", "mailer-daemon", "mailman-owner", "owner",
             "abuse")
    for i in names:
        if i == local:
            os.execv("/usr/sbin/sendmail",
                     ("/usr/sbin/sendmail", MailmanOwner))
            sys.exit(0)

    type = "post"
    types = (("-admin$", "admin"),
             ("-owner$", "owner"),
             ("-request$", "request"),
             ("-bounces$", "bounces"),
             ("-confirm$", "confirm"),
             ("-join$", "join"),
             ("-leave$", "leave"),
             ("-subscribe$", "subscribe"),
             ("-unsubscribe$", "unsubscribe"))

    for i in types:
        if re.search(i[0],local):
            type = i[1]
            local = re.sub(i[0],"",local)

    if os.path.exists(local):
        os.execv(MailmanHome + "/mail/mailman",
                 (MailmanHome + "/mail/mailman", type, local))
    else:
        bounce()
    sys.exit(75)

def bounce():
    bounce_message = """\
TO ACCESS THE MAILING LIST SYSTEM: Start your web browser on
http://%s/
That web page will help you subscribe or unsubscribe, and will
give you directions on how to post to each mailing list.\n"""
    sys.stderr.write(bounce_message % (sys.argv[1])) 
    sys.exit(1)

try:
    sys.exit(main())
except SystemExit, argument:
    sys.exit(argument)

except Exception, argument:
    info = sys.exc_info()
    trace = info[2]
    sys.stderr.write("%s %s\n" % (info[1], argument))
    sys.stderr.write("Line %d\n" % (trace.tb_lineno))
    sys.exit(75)       # Soft failure, try again later.
    del trace, info